Yes, this isn’t as exciting and dramatic (and traffic generating) as “France outlaws hashed passwords”, the headline on slashdot and Hacker News, but it’s the reality of the situation.
France has passed a new law, requiring companies store “…users’ full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.”
While it’s a pretty stupid to require the storing of passwords that can be handed over to authorities (probably to allow them to use those passwords to access services outside France), there’s nothing which prevents the continued secure use of password hashes.
A simple system which meets these new requirements is:
- Store password hash with salt in live database as is best practice
- Encrypt the plain text password using public key encryption, and store the encrypted value in another database in a record along with the plain text username. If the username already exists, replace the stored value with the new one.
- Store the private key offline in a secure bank vault (or 2), using multiple USB keys for data protection
- If and when the government require access, company director goes to bank vault, retrieves USB key, uses private key to decrypt stored password value of that single user, then returns USB key to bank vault
It’s a hassle, and it’s definitely a bit silly, but this new law doesn’t “require” any massive reduction in security if implemented correctly. Yes, the private key could provide access to all usernames’ plain text passwords, but this is an existing issue around things like hashing algorithms, salts, and source code security.
And if a company doesn’t implement it correctly? Well, the same recommendation as always applies – never reuse passwords for multiple sites, especially your email accounts, which can be used to retrieve or reset passwords using most website “Lost your login details?” functions.